Tag: ssl
Setting up DA with an SSL certificate
by admin on Sep.08, 2009, under DirectAdmin
You can switch DirectAdmin to use SSL instead of plain text. -> https instead of http on port 2222.
Note that this is for the DirectAdmin connection on port 2222, *not* for apache.
If you’re tryting to setup a certificate for your domain through apache, use this guide.
If you do not have your own certificates, you’ll need to create your own:
/usr/bin/openssl req -x509 -newkey rsa:1024 -keyout /usr/local/directadmin/conf/cakey.pem -out /usr/local/directadmin/conf/cacert.pem -days 9999 -nodes
chown diradmin:diradmin /usr/local/directadmin/conf/cakey.pem
chmod 400 /usr/local/directadmin/conf/cakey.pem
This is the old method, use either the one above, or this one. The end result is the same, but takes more steps.
openssl req -new -x509 -keyout /usr/local/directadmin/conf/cakey.pem.tmp -out /usr/local/directadmin/conf/cacert.pem -days 3653
openssl rsa -in /usr/local/directadmin/conf/cakey.pem.tmp -out /usr/local/directadmin/conf/cakey.pem
rm -f /usr/local/directadmin/conf/cakey.pem.tmp
chown diradmin:diradmin /usr/local/directadmin/conf/cakey.pem
chmod 400 /usr/local/directadmin/conf/cakey.pem
(Paste these one at a time as the first 2 require user input)
If you already have your own certificate and key, then paste them into the following files:
certificate: /usr/local/directadmin/conf/cacert.pem
key: /usr/local/directadmin/conf/cakey.pem
Edit the /usr/local/directadmin/conf/directadmin.conf and set SSL=1 (default is 0). This tells DA to load the certificate and key and to use an SSL connection. DirectAdmin needs to be restarted after this change.
If you also have a CA Root Certificate, this can be specified by adding:
carootcert=/usr/local/directadmin/conf/carootcert.pem
into the /usr/local/directadmin/conf/directadmin.conf file (won’t exist by default) and by pasting the contents of the caroot cert into that file.
Note, as of 1.30.2, you can set the value of the SSL redirect should a User connect to an https connection with plaintext http.
http://www.directadmin.com/features.php?id=801
As of 1.33.3, you can enable a ssl cipher to force SSLv3, and disable SSLv2:
http://www.directadmin.com/features.php?id=957
[warn] Init: SSL server IP/port conflict: www.domain.com:443
by admin on Sep.07, 2009, under DirectAdmin
If you get this warning in your apache logs, don’t worry, it’s perfectly normal.
[warn] RSA server certificate CommonName (CN) `localhost’ does NOT match server name!?
[warn] Init: SSL server IP/port conflict: www.domain.com:443
[warn] Init: You should not use name-based virtual hosts in conjunction with SSL!!
The reason it’s there is because DA uses name based hosting. What that means is you’ll have many domains on one IP. The warning comes up because of the fact that only 1 ssl certificate is valid per IP address. An explanation on that can be found from the link below.
Note that these are just warnings, not errors.
mod_ssl: Init: Failed to generate temporary 512 bit RSA private key
by admin on Sep.07, 2009, under DirectAdmin
This error appears to show up sometimes when using MySQL 5 with –with-mysql=/usr.
There have been reports that changing it to –with-mysqli=/usr/bin/mysql_config will fix this, but when I tried it, the mysql client api in php was set to mysql 3, so it wasn’t quite working. The solution I used was to have them both in the configure.php:
–with-mysql=/usr \
–with-mysqli=/usr/bin/mysql_config \
Then recompile php:
./build clean
./build php n
Then I edited the /etc/httpd/conf/httpd.conf and changed:
SSLRandomSeed startup builtin
SSLRandomSeed connect builtin
#SSLRandomSeed startup file:/dev/random 512
#SSLRandomSeed startup file:/dev/urandom 512
#SSLRandomSeed connect file:/dev/random 512
#SSLRandomSeed connect file:/dev/urandom 512
To
#SSLRandomSeed startup builtin
#SSLRandomSeed connect builtin
#SSLRandomSeed startup file:/dev/random 512
SSLRandomSeed startup file:/dev/urandom 512
#SSLRandomSeed connect file:/dev/random 512
SSLRandomSeed connect file:/dev/urandom 512
Quite possibly, only the changes to the httpd.conf are actually required, but adding the extra functionality of mysqli probably won’t hurt any.
I also upgraded MySQL to 5.0.41 (this case, it was a 64-bit server):
http://files.directadmin.com/services/all/mysql/64-bit/
How to disable SSL2.0 in apache
by admin on Sep.07, 2009, under DirectAdmin
To disable the SSL2.0 protocol (thus forcing 3.0),
for apache 1.3, find the line:
#SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
and change it to:
SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:!SSLv2:+EXP:+eNULL
Note the 2 changes: a) remove the # character at the beginning of the line, and b) change +SSLv2 to !SSLv2
For apache 2.x, do the same thing, but instead it will be in the /etc/httpd/conf/ssl.conf file, or for the new apache system, /etc/httpd/conf/extra/httpd-ssl.conf (if you have both files, just change it in both).
Error: Cannot find SSL binaries under /usr
by admin on Sep.07, 2009, under DirectAdmin
This happens with the configure script for apache cannot find the "openssl" (or "ssleay") binaries in any of
/usr/bin/openssl
/usr/sbin/openssl
/usr/apps/openssl
The usual location for "openssl" is /usr/bin/openssl
On a debian system, run
apt-get install openssl
